Published on July 8th, 2024
Popular video-sharing platform TikTok has acknowledged a security issue exploited by threat actors to take control of high-profile accounts on the platform.
Zero-Click Account Takeover Campaign
The development, first reported by Semafor and Forbes, highlights a zero-click account takeover campaign, allowing malware propagated via direct messages to compromise brand and celebrity accounts without any interaction.
The exploit leverages a zero-day vulnerability in the messaging component, enabling malicious code execution upon opening the message.
Though the extent of the impact remains unclear, TikTok has implemented preventive measures to halt the attack and prevent future occurrences.
The company is directly assisting impacted account holders in restoring access.
It has indicated that only a “very small” number of users were compromised but did not elaborate on the specifics of the attack or mitigation techniques.
Previous Security Incidents
TikTok has faced previous security concerns, including a flaw disclosed by Check Point in January 2021 and a one-click exploit uncovered by Microsoft in September 2022.
Ongoing Security Challenges
Imperva disclosed an issue over a year ago, highlighting attackers’ ability to monitor users’ activity and access sensitive information.
Various incidents, such as the compromise of 700,000 accounts in Turkey and malware delivery through the Invisible Challenge, underscore ongoing efforts by bad actors to exploit TikTok.
Geopolitical Concerns And Legal Battles
Concerns over TikTok’s Chinese ownership have led to legal challenges, with the app facing bans in several countries, including India, Nepal, Senegal, and others.
TikTok recently filed a lawsuit in the U.S., contesting a law aiming to ban the app unless divested from ByteDance.